A new worm has been observed exploiting the recently disclosed Exim vulnerability CVE-2019-10149, to install cryptocurrency miners on affected mail servers.
The worm identifies new target servers using a Python-based port scanning module. It will then execute an initial script to install itself on the new servers. Several scripts are then downloaded and executed to create cronjobs in order to maintain persistence and download other payloads. The worm will also add its own RSA authentication key to the server’s root directory.
Look for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from existing backups.
At the time of publication, only a cryptocurrency mining module has been seen being installed by the worm, although it is possible that other payloads may be installed in the future.
Indicators of Compromise
Patch every EXIM installation you have in your organization and make sure that it is updated to the most recent version, 4.92 at the current time.